Evernote: So useful, even malware loves it

Backdoor found that uses Evernote account for setup—and possibly to steal data.

The Evernote interface for Chinese users—and the gateway to commands for a very sneaky backdoor.

Your average workaday botnet uses a command and control server to give the malware bots on infected PCs their marching orders. But as network security tools begin to block traffic to suspicious domains, some enterprising hackers are turning to communications tools less likely to be blocked by corporate firewalls, using consumer services to deliver their bidding to their digital minions. Today, security researchers at Trend Micro revealed the latest case of the consumerization of botnet IT: malware that uses an Evernote account to communicate.

The backdoor malware, designated as VERNOT.A by Trend Micro, is delivered via an executable file that installs the malware as a dynamic-link library. The installer then ties the DLL into a legitimate running process, hiding it from casual detection. Once up and running, the backdoor starts to collect information about the system it has made its home—the computer's name, the person and organization identified as its registered owners, the operating system version, and its timezone. Then it connects to Evernote—specifically the Chinese interface to the Evernote service—to fetch information from notes saved in an account, including commands to download, run, and rename files on its host system.

According to a blog post by Trend Micro Threat Response Engineer Nikko Tamaña, the backdoor may have also used Evernote as a location to upload stolen data. Fortunately (or unfortunately, depending on how you look at it), the account that was hard-coded into the backdoor's channel to home had already been shut down—ironically, because its password was reset after Evernote's recent security breach.

This isn't the first time a public consumer cloud service has been used to communicate with malware. There have been multiple cases of hackers using Twitter to control their botnets, including last year's Flashback botnet. The malware searched Twitter posts that included IP addresses to use for command and control servers if they lost contact with the last server used. The Makadocs backdoor used Google Docs in much the same way as Vernot used Evernote, acting as a communication channel between infected PCs and the command and control server.

Trend Micro CTO Raimund Genes told Ars during a question-and-answer session at a press briefing today in Washington that Evernote—and other file-sharing services such as Dropbox and Box.net—are an attractive avenue for hackers attempting targeted attacks on organizations or individuals because they don't attract the attention of administrators. "Nobody's going to block Dropbox or Box," he said. He added that many new backdoor attacks do most of their communication among infected systems within the network, and only push data outbound periodically—making it even harder for intrusion detection systems to spot unusual activity, because the bursts of uploads appear more like legitimate traffic to those services.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.